DKM: Design and Verification of a Crypto-Agile Distributed Key Manager

We present the design and verification of a distributed key
management system.
This component implements a new data protection API for groups of
users.
It manages groups and their underlying cryptographic keys and
policies.
It is currently used by several large data-center applications.
To ensure long-term data protection, it supports cryptographic
agility, so that cryptography algorithms and policies can evolve for
protecting fresh data while preserving access to old data.
To verify the security of our design and our production code
(written in C#), we also write a reference implementation in F#.
Formally, we verify our F# code against a symbolic model of cryptography
using F7, a refinement typechecker coupled with a model checker.
Experimentally, we test that the corresponding C# and F# code
fragments are interchangeable.
We also report on several problems we uncovered and fixed during this
verification effort.